CVE-2025-13342

CRITICAL EXPLOITED

Frontend Admin by DynamiApps <3.28.20 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-13342 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Nxploited, Altelus1.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-13342, targeting ACF (Advanced Custom Fields) Frontend Form vulnerabilities in WordPress. The script automates the discovery of vulnerable forms and attempts to create an administrator user via AJAX requests.

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.

Exploits (2)

nomisec WORKING POC
by Nxploited · remote
https://github.com/Nxploited/CVE-2025-13342

This repository contains a functional Python exploit for CVE-2025-13342, targeting ACF (Advanced Custom Fields) Frontend Form vulnerabilities in WordPress. The script automates the discovery of vulnerable forms and attempts to create an administrator user via AJAX requests.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Advanced Custom Fields (ACF) Frontend Form (WordPress plugin)
No auth needed
Prerequisites: WordPress site with vulnerable ACF Frontend Form plugin · Access to registration or form submission endpoints
devstral-2 · analyzed Apr 18, 2026 Full analysis →
nomisec WORKING POC
by Altelus1 · remote
https://github.com/Altelus1/CVE-2025-13342

This PoC exploits an unauthenticated arbitrary options update vulnerability in the Frontend Admin by DynamiApps WordPress plugin (CVE-2025-13342). It enables user registration and sets the default role to administrator by leveraging a publicly accessible form.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Frontend Admin by DynamiApps WordPress plugin <= 3.28.20
No auth needed
Prerequisites: Publicly accessible form created via Frontend Admin plugin · Target WordPress site with vulnerable plugin version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0009
EPSS Percentile 25.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-12-03
CWE
CWE-862
Status published
Products (1)
shabti/Frontend Admin by DynamiApps < 3.28.20
Published Dec 03, 2025
Tracked Since Feb 18, 2026